% Licensed under the Apache License, Version 2.0 (the "License"); you may not
% use this file except in compliance with the License. You may obtain a copy of
% the License at
%
%   http://www.apache.org/licenses/LICENSE-2.0
%
% Unless required by applicable law or agreed to in writing, software
% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
% License for the specific language governing permissions and limitations under
% the License.

-module(chttpd_auth_request).
-export([authorize_request/1]).
-include_lib("couch/include/couch_db.hrl").

authorize_request(#httpd{auth = Auth, user_ctx = Ctx} = Req) ->
    try
        authorize_request_int(Req)
    catch
        throw:{forbidden, Msg} ->
            case {Auth, Ctx} of
                {{cookie_auth_failed, {Error, Reason}}, _} ->
                    throw({forbidden, {Error, Reason}});
                {_, #user_ctx{name = null}} ->
                    throw({unauthorized, Msg});
                {_, _} ->
                    throw({forbidden, Msg})
            end
    end.

authorize_request_int(#httpd{path_parts = []} = Req) ->
    Req;
authorize_request_int(#httpd{path_parts = [<<"favicon.ico">> | _]} = Req) ->
    Req;
authorize_request_int(#httpd{path_parts = [<<"_all_dbs">> | _]} = Req) ->
    maybe_admin_only_dbs(Req);
authorize_request_int(#httpd{path_parts = [<<"_dbs_info">> | _]} = Req) ->
    maybe_admin_only_dbs(Req);
authorize_request_int(#httpd{path_parts = [<<"_replicator">>], method = 'PUT'} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_replicator">>], method = 'DELETE'} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_replicator">>, <<"_all_docs">> | _]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_replicator">>, <<"_changes">> | _]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_replicator">> | _]} = Req) ->
    db_authorization_check(Req);
authorize_request_int(#httpd{path_parts = [<<"_reshard">> | _]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_users">>], method = 'PUT'} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_users">>], method = 'DELETE'} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_users">>, <<"_all_docs">> | _]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_users">>, <<"_changes">> | _]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [<<"_users">> | _]} = Req) ->
    db_authorization_check(Req);
authorize_request_int(#httpd{path_parts = [<<"_", _/binary>> | _]} = Req) ->
    server_authorization_check(Req);
authorize_request_int(#httpd{path_parts = [_DbName], method = 'PUT'} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName], method = 'DELETE'} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName, <<"_compact">> | _]} = Req) ->
    require_db_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName, <<"_view_cleanup">>]} = Req) ->
    require_db_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName, <<"_sync_shards">>]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName, <<"_purge">>]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName, <<"_purged_infos_limit">>]} = Req) ->
    require_admin(Req);
authorize_request_int(#httpd{path_parts = [_DbName | _]} = Req) ->
    db_authorization_check(Req).

server_authorization_check(#httpd{path_parts = [<<"_up">>]} = Req) ->
    Req;
server_authorization_check(#httpd{path_parts = [<<"_uuids">>]} = Req) ->
    Req;
server_authorization_check(#httpd{path_parts = [<<"_session">>]} = Req) ->
    Req;
server_authorization_check(#httpd{path_parts = [<<"_replicate">>]} = Req) ->
    require_authenticated_user(Req);
server_authorization_check(#httpd{path_parts = [<<"_stats">>]} = Req) ->
    Req;
server_authorization_check(#httpd{path_parts = [<<"_active_tasks">>]} = Req) ->
    Req;
server_authorization_check(#httpd{path_parts = [<<"_dbs_info">>]} = Req) ->
    Req;
server_authorization_check(#httpd{method = Method, path_parts = [<<"_utils">> | _]} = Req) when
    Method =:= 'HEAD' orelse Method =:= 'GET'
->
    Req;
server_authorization_check(#httpd{path_parts = [<<"_node">>, _, <<"_stats">> | _]} = Req) ->
    require_metrics(Req);
server_authorization_check(#httpd{path_parts = [<<"_node">>, _, <<"_system">> | _]} = Req) ->
    require_metrics(Req);
server_authorization_check(#httpd{path_parts = [<<"_node">>, _, <<"_prometheus">> | _]} = Req) ->
    require_metrics(Req);
server_authorization_check(#httpd{path_parts = [<<"_", _/binary>> | _]} = Req) ->
    require_admin(Req).

db_authorization_check(#httpd{path_parts = [DbName | _], user_ctx = Ctx} = Req) ->
    {_} = fabric:get_security(DbName, [{user_ctx, Ctx}]),
    Req.

require_metrics(#httpd{user_ctx = #user_ctx{roles = UserRoles}} = Req) ->
    IsAdmin = lists:member(<<"_admin">>, UserRoles),
    IsMetrics = lists:member(<<"_metrics">>, UserRoles),
    case {IsAdmin, IsMetrics} of
        {true, _} -> Req;
        {_, true} -> Req;
        _ -> throw({unauthorized, <<"You are not a server admin or read-only metrics user">>})
    end.

require_admin(Req) ->
    ok = couch_httpd:verify_is_server_admin(Req),
    Req.

require_db_admin(#httpd{path_parts = [DbName | _], user_ctx = Ctx} = Req) ->
    Sec = fabric:get_security(DbName, [{user_ctx, Ctx}]),

    case is_db_admin(Ctx, Sec) of
        true -> Req;
        false -> throw({unauthorized, <<"You are not a server or db admin.">>})
    end.

require_authenticated_user(#httpd{user_ctx = #user_ctx{name = null}}) ->
    throw({unauthorized, <<"You are not an authenticated user">>});
require_authenticated_user(#httpd{} = Req) ->
    Req.

is_db_admin(#user_ctx{name = UserName, roles = UserRoles}, {Security}) ->
    {Admins} = couch_util:get_value(<<"admins">>, Security, {[]}),
    Names = couch_util:get_value(<<"names">>, Admins, []),
    Roles = couch_util:get_value(<<"roles">>, Admins, []),
    case check_security(roles, UserRoles, [<<"_admin">> | Roles]) of
        true -> true;
        false -> check_security(names, UserName, Names)
    end.

check_security(roles, [], _) ->
    false;
check_security(roles, UserRoles, Roles) ->
    UserRolesSet = ordsets:from_list(UserRoles),
    RolesSet = ordsets:from_list(Roles),
    not ordsets:is_disjoint(UserRolesSet, RolesSet);
check_security(names, _, []) ->
    false;
check_security(names, null, _) ->
    false;
check_security(names, UserName, Names) ->
    lists:member(UserName, Names).

maybe_admin_only_dbs(Req) ->
    case config:get_boolean("chttpd", "admin_only_all_dbs", true) of
        true -> require_admin(Req);
        false -> Req
    end.
